Security

Widget Content Security Policy (CSP)

If your website uses a Content Security Policy, you'll need to add Mapster's domains to your CSP directives so the survey widget can load and function correctly.

Documentation

What is CSP?

Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) attacks and other code injection threats. It works by telling the browser which resources (scripts, styles, fonts, etc.) are allowed to load on your page.

CSP is delivered via an HTTP header or a <meta> tag. If your site uses CSP, external resources that aren't explicitly allowed will be blocked by the browser — including the Mapster widget.

If you don't have a CSP configured, the widget will work out of the box with no extra setup needed.

Required CSP Directives

To use the Mapster widget with CSP, add the following domains to your policy:

Directive	Value	Why
script-src	https://www.mapster.io https://cdn.jsdelivr.net	Widget script + React library from CDN
style-src	'unsafe-inline'	Widget injects inline CSS for styling
connect-src	https://www.mapster.io	API calls for poll data, responses, and analytics
font-src	https://www.mapster.io	Custom fonts (if used in your survey theme)
img-src	data: blob:	Inline images and icons

Full CSP Header Example

Here's a complete Content-Security-Policy header that allows the Mapster widget alongside your own resources:

HTTP Header

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://www.mapster.io https://cdn.jsdelivr.net;
  style-src 'self' 'unsafe-inline';
  connect-src 'self' https://www.mapster.io;
  font-src 'self' https://www.mapster.io;
  img-src 'self' data: blob:;

Replace 'self' values with your own domain policies as needed. The example above shows only the Mapster-specific additions you need to include.

Using a Nonce

If your CSP uses nonce-based authentication instead of domain allowlisting for scripts, you can add a nonce to the Mapster widget script tag.

A nonce is a random, single-use value generated per request that authenticates specific scripts. This is more restrictive than allowlisting a domain and is considered a best practice for strict CSP policies.

1. Set the CSP header with your nonce

HTTP Header

Content-Security-Policy:
  default-src 'self';
  script-src 'nonce-YOUR_RANDOM_NONCE' https://cdn.jsdelivr.net 'self';
  style-src 'unsafe-inline';
  connect-src https://www.mapster.io 'self';
  font-src https://www.mapster.io 'self';
  img-src 'self' data: blob:;

2. Add the nonce to the widget script tag

HTML

<script
  nonce="YOUR_RANDOM_NONCE"
  defer
  src="https://www.mapster.io/widget.js"
  widget-id="YOUR_WIDGET_ID"
></script>

The nonce must be unique per page load — never hardcode it. Generate it server-side on each request using a cryptographically secure random generator.

What Each Domain Is Used For

`www.mapster.io`

The widget script (/widget.js), API endpoints for fetching survey data and submitting responses, custom fonts, and analytics events.

`cdn.jsdelivr.net`

React 19 UMD bundles loaded by the widget at runtime. These are loaded from cdn.jsdelivr.net/npm/umd-react@19.2.1.

API Endpoints

The widget makes requests to the following www.mapster.io endpoints. These are covered by the connect-src directive.

Endpoint	Method	Purpose
/api/polls/get-poll	GET	Fetch survey configuration and questions
/api/polls/answer-poll	POST	Submit survey responses
/api/event	POST	Track page views and survey events

Framework Examples

Next.js

next.config.js

const cspHeader = `
  default-src 'self';
  script-src 'self' https://www.mapster.io https://cdn.jsdelivr.net;
  style-src 'self' 'unsafe-inline';
  connect-src 'self' https://www.mapster.io;
  font-src 'self' https://www.mapster.io;
  img-src 'self' data: blob:;
`;

module.exports = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: cspHeader.replace(/\n/g, ''),
          },
        ],
      },
    ];
  },
};

Nginx

nginx.conf

add_header Content-Security-Policy "
  default-src 'self';
  script-src 'self' https://www.mapster.io https://cdn.jsdelivr.net;
  style-src 'self' 'unsafe-inline';
  connect-src 'self' https://www.mapster.io;
  font-src 'self' https://www.mapster.io;
  img-src 'self' data: blob:;
" always;

Meta Tag

If you can't set HTTP headers, you can use a meta tag instead. Note that some directives like frame-ancestors are not supported via meta tags.

HTML

<meta
  http-equiv="Content-Security-Policy"
  content="
    default-src 'self';
    script-src 'self' https://www.mapster.io https://cdn.jsdelivr.net;
    style-src 'self' 'unsafe-inline';
    connect-src 'self' https://www.mapster.io;
    font-src 'self' https://www.mapster.io;
    img-src 'self' data: blob:;
  "
/>

Troubleshooting

If the widget isn't loading on your site, open the browser console (F12 → Console tab) and look for CSP violation errors. They look like:

Refused to load the script 'https://www.mapster.io/widget.js'
because it violates the following Content Security Policy
directive: "script-src 'self'".

Widget script not loading

Add https://www.mapster.io to script-src

React not loading from CDN

Add https://cdn.jsdelivr.net to script-src

Widget styles not applied

Add 'unsafe-inline' to style-src

Survey data not fetching

Add https://www.mapster.io to connect-src

Custom fonts not loading

Add https://www.mapster.io to font-src

Still having issues? Contact us and we'll help you configure your CSP.